As healthcare continues to top the list of industries targeted by cyberattacks—and has the highest cost of a breach of all industries—healthcare covered entities can no longer approach cybersecurity from a “what if” perspective, but when. And, while proactive, compliant, reasonable, and appropriate protections are paramount, having an active incident response plan may ultimately be one of the biggest factors determining the impact of your cyber incident and how far your organization will have to go to recover.
Timing is Everything
When it comes to incident response, timing is everything, and the first four hours are among the most critical to stopping an attack, responding, recovering, and resuming operations as quickly as possible with minimal disruptions. These are your “golden hours” for incident response.
Essentially, it’s all about ensuring you have an effective plan built and tested for your organization’s unique environment and attack surface and that you document every step along the way.
Four Key Steps for Active Incident Response
When your organization is in the heat of the attack, your incident response plan should be so tested and well-tuned that your teams can quickly and accurately respond—even as the attack evolves around them. Remember, most attackers have already run recon on your systems and network. They’re actively anticipating how you will respond and are looking for backdoors and workarounds to circumvent your response tactics. However, with these four key steps, you can keep pace and ensure you’re learning from your incidents while they happen and take away lessons learned for next time.
- Respond: Speed is critical. Once you’ve identified your threat, you have to keep your eyes on every movement and be prepared to engage every time a tactic evolves or pivots. Keep your eyes up—and on—the threat actors to ensure your teams, for example, your MSP/MSSP, legal, incident response, etc. can be proactive to a reactive situation.
- Active Defense: Ensure your teams have the correct tools, processes, and resources to manage an active defense to the attack.
- Preserve: It’s all about documentation and evidence capture here. If you face legal or compliance actions due to a cyber incident, you must be able to document what happened, the steps you took, and the outcome of every step of your incident response strategy. The Office for Civil Rights (OCR), for example, will want to see that you’ve executed the data security and privacy strategies you reported. Failure to do so could lead to higher penalties or other punitive actions. But it’s also a learning opportunity your teams can use to improve future response plans.
- Report: As part of various compliance requirements, depending on the nature and size of the breach, you’ll have to file various reports about what happened, how you responded, timeframes, and results. Each compliance and regulatory agency has different requirements on when you must make these reports, so be well-versed in timetables before an incident happens and include reporting mechanisms in your incident response plans.
Lessons Learned from a Healthcare Cyberattack
During a recent Clearwater Cyber Briefing, founder and CEO of 1stResponder, Ricoh Danielson, joined Brian McManamon, General Manager of Clearwater’s Managed Security Services team, to share some incident response learning from a recent case study.
Danielson and McManamon reviewed a recent cyber incident that impacted a large Midwest medical provider. The organization was a victim of a ransomware attack that initially took down its systems but was able to come back online within 84 hours. After the event was resolved, the organization found some contributing factors that made it more susceptible to the attack, including:
- Not delineating between IT and cybersecurity budget and improperly positioned people, time, money, and resources for active response
- The attackers reconned the organization for over a year without being detected
- The attackers knew what they were doing—they deliberately target small to medium-sized healthcare organizations and medical clinics. Danielson suspects this is because it’s common knowledge that healthcare organizations typically spend at or below 1% of their annual operating budgets on cybersecurity—making smaller organizations particularly vulnerable.
- Failure to validate that exposures were being addressed; MDR was in place but, no one was managing it.
Go Forward and Stay Vigilant
This fight is never over. It’s tempting for organizations to claim victory after a cyber incident is resolved, ousting the attacker and putting new controls in place only to grow complacent over time. But cyberattackers are relentless, and they will try again.
So, how do you get started and maintain a strong incident response plan?
First, be ready. Long before a cyber incident happens, have authentic conversations across your response teams about how ready you are to respond to an attack. Solicit feedback from all of your teams. Create a trusting environment, one where respondents feel they can be honest about their opinions. Listen and draw on that feedback. If your testing and tabletop exercises build confidence that your incident response plan is effective and will work, that’s great, but never stop those activities as your attack surface and the threat landscape is constantly evolving. Don’t shy away from critical feedback. If your teams feel you’re not ready to respond, ask the hard question: What do we need to do to get there? Then, adjust your response plans accordingly and test again.
Second, evaluate the investments your organization is making into cybersecurity and your incident response plans.
- Have you made the appropriate financial investment in terms of personnel, tools, resources, and external support?
- Do you need to invest more to mature your cybersecurity practices and strengthen your program?
- Could you benefit from working with security and incident response consultants to ensure you’re maximizing your investments for the most effective and timely response?
- Do you have a solid understanding of business risk? How would your most critical operations be affected by a cyber incident and what would the impact of downtime or loss be on your operational resilience?
- Have you properly trained and educated your staff and key stakeholders about cyber hygiene and response protocols?
And finally, be your own first responder. In the heat of a cyber incident, your organization is going to have to save itself first. That means always having a plan and routinely conducting training to ensure your teams are always ready. Once your plan is activated, you can then connect with the appropriate resources for additional support to ensure a successful response.
Building an active incident response plan is no small task. It’s not just about ensuring your organization follows a specific framework or that you’ve implemented the appropriate controls. Those are critical steps, but they’re just the beginning. Effective incident response requires a clear understanding of your cyber risks and correlates them to actual business risks. With this understanding, your teams can strengthen your plans so they always know how to prioritize response and recovery actions to decrease the impact on your business.
According to IBM’s 2023 Cost of a Data Breach report, organizations with both an incident response team and incident response plan testing identified breaches 54 days faster than those with neither. If you’re not confident your current incident response plans can adapt to the rapidly changing threat landscape or if you’re struggling to keep pace with your ever-expanding attack surface, consider working with a healthcare cybersecurity and incident response consultant who can help you conduct business impact and risk analyses to help you better understand your business, cyber, and compliance risks, and ensure you’re building effective response plans so you’re ready when your organization faces your next cyber event.